search

mickelsonmichael / dev

0 stars 0 forks source link

NPM install issue `Error: error:0308010C:digital envelope routines::unsupported` #2

Closed mickelsonmichael closed 2 years ago

mickelsonmichael commented 2 years ago

Summary

While attempting to build a React application with a Node backend, I was getting an exception during the pipeline segement

> webpack --config webpack.server.js --mode=production
node:internal/crypto/hash:71
  this[kHandle] = new _Hash(algorithm, xofLen);
                  ^
Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:71:19)
    at Object.createHash (node:crypto:133:10)
    at module.exports (/builds/gis-lab/market-replay/market-replay-frontend/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/builds/gis-lab/market-replay/market-replay-frontend/node_modules/webpack/lib/NormalModule.js:417:16)
    at handleParseError (/builds/gis-lab/market-replay/market-replay-frontend/node_modules/webpack/lib/NormalModule.js:471:10)
    at /builds/gis-lab/market-replay/market-replay-frontend/node_modules/webpack/lib/NormalModule.js:503:5
    at /builds/gis-lab/market-replay/market-replay-frontend/node_modules/webpack/lib/NormalModule.js:358:12
    at /builds/gis-lab/market-replay/market-replay-frontend/node_modules/loader-runner/lib/LoaderRunner.js:373:3
    at iterateNormalLoaders (/builds/gis-lab/market-replay/market-replay-frontend/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
    at iterateNormalLoaders (/builds/gis-lab/market-replay/market-replay-frontend/node_modules/loader-runner/lib/LoaderRunner.js:221:10)
    at /builds/gis-lab/market-replay/market-replay-frontend/node_modules/loader-runner/lib/LoaderRunner.js:236:3
    at context.callback (/builds/gis-lab/market-replay/market-replay-frontend/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
    at /builds/gis-lab/market-replay/market-replay-frontend/node_modules/babel-loader/lib/index.js:59:71 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}
Node.js v18.8.0

Notes

mickelsonmichael commented 2 years ago

I attempted to use the suggested answer here: https://stackoverflow.com/a/73027407/3338349

However, I got a different exception because I was working with Nasdaq's Nexus implementation, and received the following exception

> npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit 400 Bad Request - POST https://nexus.exchsys.nasdaq.com/repository/npm/-/npm/v1/security/audits/quick

==================================================================
Nexus Lifecycle or Nexus Firewall must be configured. Please contact your NXRM administrator.
==================================================================
npm ERR! audit endpoint returned an error
mickelsonmichael commented 2 years ago

The final solution was a multi-part solution.

1. Find the offending package

You can run the npm audit command if you add the --registry flag and point it to the public registry. Then, with that report generated, search through the vulnerabilities until you find one that mentions the cryptographic signatures. In my case, it was the elliptic package which was reporting Use of a Broken or Risky Cryptographic Algorithm.

> npm audit --registry=https://registry.npmjs.org
# npm audit report
.
.
.
elliptic  <6.5.4
Severity: moderate
Use of a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w
fix available via `npm audit fix`
node_modules/elliptic
.
.
.
50 vulnerabilities (1 low, 14 moderate, 27 high, 8 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

2. Update the offending package(s)

Simply update the offending package, either by manually updating the package.json or by using the npm update command. In my case, I had to bump the elliptic version to a version greater than 6.5.4, which was only a single minor version less than I had already (6.5.3).

mickelsonmichael commented 2 years ago

Apparently, a workaround line I had added earlier to my pipeline was holding everything together without my realizing it. I was setting NODE_OPTIONS: '--openssl-legacy-provider' in my .gitlab-ci.yml file, which didn't initially work but worked when I updated my elliptic version. However, removing the line re-introduced the error.

mickelsonmichael commented 2 years ago

A keen observer in this StackOverflow comment pointed out that the MD4 algorithm is hard-coded into older versions of Webpack and does not utilize the version specified by the hashFunction option.

The proper solution would be to update to create-react-app which utilizes a more recent version of Webpack. However, if that is not possible, then the --openssl-legacy-provider workaround may be required in the meantime.

I want to stress, however, that this is not a permanent fix, because it leaves your code vulnerable. OpenSSL removed MD4 for a reason, and creating workarounds to subvert that removal seems antithetical to secure practices.

In my particular scenario, we aren't able to easily convert to Webpack 5 because of the way the webworkers were configured to use the worker-loader library, which no longer exists in Webpack. In order to upgrade, we will need to modify the workers to align more with what Webpack expects web workers to look like.